diff options
| author | Timo Wilken | 2023-11-05 01:03:55 +0100 |
|---|---|---|
| committer | Timo Wilken | 2023-11-05 01:03:55 +0100 |
| commit | 7409fef3cbe6bba6c66ce8b03aef6c2d9dc6c7e7 (patch) | |
| tree | 925bbc88193a26d0b0c5fb5b01842be614af4ea6 /tw/system/lap.scm | |
| parent | c3ef6ab1a62cf23cd15fd8865ec6bcdf8e7e4ad7 (diff) | |
Add secrets service
Allow managing secrets and passwords using Guix.
Secrets are encrypted in the Guix channel repository and decrypted using a
single host key at activation time.
Diffstat (limited to 'tw/system/lap.scm')
| -rw-r--r-- | tw/system/lap.scm | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/tw/system/lap.scm b/tw/system/lap.scm index 516de321..33154d5b 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -21,6 +21,7 @@ #:use-module (nonguix licenses) #:use-module (tw channels) #:use-module (tw packages scanner) + #:use-module (tw services secrets) #:use-module (tw services wireguard) #:use-module (tw system)) @@ -446,6 +447,26 @@ EndSection (list vin) (list lud)))))) + (service secrets-service-type + (secrets-configuration + (secrets + (list + (secret + (encrypted-file (local-file "files/wireguard/lap.key.enc")) + (destination "/etc/wireguard/private.key")) + (secret + (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc")) + (destination "/etc/wireguard/fp4.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc")) + (destination "/etc/wireguard/lud.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc")) + (destination "/etc/wireguard/pi3.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc")) + (destination "/etc/wireguard/vin.psk")))))) + (modify-services (append %system-channel-services %desktop-services) ;; Let sane find the airscan backend. ipp-usb needs to be running separately. (sane-service-type _ => sane-backends/airscan) |